While there are definite benefits to having a zero trust network, it’s also convenient to outsource all the certificate management.
First you need to create a cert with ACM, either by importing it, or letting them do it (managed renewal ftw!):
Certificate: Type: AWS::CertificateManager::Certificate Properties: DomainName: !Ref 'DomainName' ValidationMethod: DNS
That in hand, you can create the LB, Listener & Target Group:
LoadBalancer: Type: AWS::ElasticLoadBalancingV2::LoadBalancer Properties: Name: foo Subnets: - !Ref PublicSubnet1 - ... SecurityGroups: - !Ref SecurityGroup LoadBalancerListener: Type: AWS::ElasticLoadBalancingV2::Listener Properties: LoadBalancerArn: !Ref LoadBalancer Port: 443 Protocol: HTTPS DefaultActions: - Type: forward TargetGroupArn: !Ref DefaultTargetGroup SslPolicy: ELBSecurityPolicy-TLS-1-2-2017-01 Certificates: - CertificateArn: !Ref Certificate DefaultTargetGroup: Type: AWS::ElasticLoadBalancingV2::TargetGroup Properties: Name: foo VpcId: !Ref Vpc Port: 80 Protocol: HTTP SecurityGroup: Type: AWS::EC2::SecurityGroup Properties: VpcId: !Ref Vpc GroupDescription: Enable HTTPS access for LB SecurityGroupIngress: - IpProtocol: tcp FromPort: '443' ToPort: '443' CidrIp: '0.0.0.0/0'
Make sure you use a public subnet, or you won’t be able to reach the LB!